public override void ProcessRequest(ref RequestContext requestContext)
{
if (requestContext == null || requestContext.RequestMessage == null)
{
return;
}
Message request = requestContext.RequestMessage;
var requestProperty = (HttpRequestMessageProperty) request.Properties[HttpRequestMessageProperty.Name];
IOAuthContext context = new OAuthContextBuilder().FromUri(requestProperty.Method, request.Headers.To);
try
{
_provider.AccessProtectedResourceRequest(context);
AccessToken accessToken = _repository.GetToken(context.Token);
TokenPrincipal principal = CreatePrincipalFromToken(accessToken);
InitializeSecurityContext(request, principal);
}
catch (OAuthException authEx)
{
XElement response = GetHtmlFormattedErrorReport(authEx);
Message reply = Message.CreateMessage(MessageVersion.None, null, response);
var responseProperty = new HttpResponseMessageProperty {StatusCode = HttpStatusCode.Forbidden, StatusDescription = authEx.Report.ToString()};
responseProperty.Headers[HttpResponseHeader.ContentType] = "text/html";
reply.Properties[HttpResponseMessageProperty.Name] = responseProperty;
requestContext.Reply(reply);
requestContext = null;
}
}
public object Get(OAuthAccessTokenRequest request)
{
// keep this line to inspect the Request in monodevelop's debugger
// really helps debugging API calls
var servicestack_http_request = this.Request;
// TODO the OAuth spec allows other ways of specifying the parameters besides the query string
// (i.e. the authorization header, form-encoded POST values, etc. We have to handle those
// in the future
var original_request = ((HttpListenerRequest)Request.OriginalRequest).ToWebRequest ();
try {
var context = new OAuthContextBuilder ()
.FromWebRequest (original_request, new MemoryStream ());
AccessToken access_token = (AccessToken) RainyStandaloneServer.OAuth.Provider.ExchangeRequestTokenForAccessToken (context);
Logger.DebugFormat ("permanently authorizing access token: {0}", access_token);
RainyStandaloneServer.OAuth.AccessTokens.SaveToken (access_token);
Response.Write (access_token.ToString ());
Response.End ();
} catch (Exception e) {
throw new UnauthorizedException (){ ErrorMessage = "failed to exchange request token for access token: {0}".Fmt(e.Message)};
}
return null;
}
protected void Page_Load(object sender, EventArgs e)
{
var context = new OAuthContextBuilder().FromHttpRequest(Request);
IOAuthProvider provider = OAuthServicesLocator.Services.Provider;
var tokenRepository = OAuthServicesLocator.Services.AccessTokenRepository;
try
{
provider.AccessProtectedResourceRequest(context);
var accessToken = tokenRepository.GetToken(context.Token);
string userName = accessToken.UserName;
XDocument contactsDocument = GetContactsForUser(userName);
Response.ContentType = "text/xml";
Response.Write(contactsDocument);
Response.End();
}
catch (OAuthException authEx)
{
// fairly naieve approach to status codes, generally you would want to examine eiter the inner exception of the
// problem report to determine an appropriate status code for your technology / architecture.
Response.StatusCode = 403;
Response.Write(authEx.Report);
Response.End();
}
}
public void ValidateWithTrailingAmpersand_ForUri()
{
Uri uri = new Uri("http://demo.devdefined.com/OpenSocial/HelloWorld.aspx?oauth_nonce=c39f4e3e6c309988763eb8af85fcb74b&oauth_timestamp=1221992254&oauth_consumer_key=friendster.com&synd=friendster&container=default&opensocial_owner_id=82474146&opensocial_viewer_id=82474146&opensocial_app_id=52ae97f7aa8a7e7565dd40a4e00eb0f5&oauth_token=&xoauth_signature_publickey=http%3A%2F%2Fwww.fmodules.com%2Fpublic080813.crt&oauth_signature_method=RSA-SHA1&oauth_signature=PLOkRKwLLeJRZz18PsAVQgL5y9Rdf0AW5eicdT0xwauRe3bE2NTDFHoMsUtO6UMHEY0v9GRcKbvkgEWEGGtiGA%3D%3D&");
IOAuthContext context = new OAuthContextBuilder().FromUri("GET", uri);
var signer = new OAuthContextSigner();
var signingContext = new SigningContext { Algorithm = FriendsterCertificate.PublicKey.Key };
Assert.True(signer.ValidateSignature(context, signingContext));
}
protected void Page_Load(object sender, EventArgs e)
{
IOAuthContext context = new OAuthContextBuilder().FromHttpRequest(Request);
IOAuthProvider provider = OAuthServicesLocator.Provider;
IToken token = provider.GrantRequestToken(context);
Response.Write(token);
Response.End();
}
public void ValidateWithTrailingAmpersand()
{
// As reported in issue here: http://code.google.com/p/devdefined-tools/issues/detail?id=1
// validating OAuth requests from Friendster was failing - turns out to be OpenSocial platforms
// incorrectly placing a "&" on the end of their query parameters, which was tripping up
// query parameters collection - there is now a fix in the context builder to remove the problematic
// character when parsing requests/Uri's.
var uri =
new Uri(
"http://demo.devdefined.com/OpenSocial/HelloWorld.aspx?oauth_nonce=c39f4e3e6c309988763eb8af85fcb74b&oauth_timestamp=1221992254&oauth_consumer_key=friendster.com&synd=friendster&container=default&opensocial_owner_id=82474146&opensocial_viewer_id=82474146&opensocial_app_id=52ae97f7aa8a7e7565dd40a4e00eb0f5&oauth_token=&xoauth_signature_publickey=http%3A%2F%2Fwww.fmodules.com%2Fpublic080813.crt&oauth_signature_method=RSA-SHA1&oauth_signature=PLOkRKwLLeJRZz18PsAVQgL5y9Rdf0AW5eicdT0xwauRe3bE2NTDFHoMsUtO6UMHEY0v9GRcKbvkgEWEGGtiGA%3D%3D&");
IOAuthContext context = new OAuthContextBuilder().FromUri("GET", uri);
var signer = new OAuthContextSigner();
var signingContext = new SigningContext {Algorithm = FriendsterCertificate.PublicKey.Key};
Assert.IsTrue(signer.ValidateSignature(context, signingContext));
}
protected void Page_Load(object sender, EventArgs e)
{
try
{
IOAuthContext context = new OAuthContextBuilder().FromHttpRequest(Request);
IOAuthProvider provider = OAuthServicesLocator.Services.Provider;
IToken token = provider.GrantRequestToken(context);
Response.Write(token);
}
catch (OAuthException ex)
{
Response.StatusCode = 400;
Response.Write(ex.Report.ToString());
}
Response.End();
}
public void TestOAuth()
{
X509Certificate2 cert = new X509Certificate2(ConfigurationSettings.AppSettings["OAuthCert"]);
AsymmetricAlgorithm provider = cert.PublicKey.Key;
OAuthContextSigner signer = new OAuthContextSigner();
SigningContext signingContext = new SigningContext();
//signingContext.ConsumerSecret = ...; // if there is a consumer secret
signingContext.Algorithm = provider;
Uri uri = new Uri(
"http://dev-profiles.campus.net.ucsf.edu/chatter/ChatterProxyService.svc/user/5138614/unfollow/4621800?accessToken=00DZ0000000jhLQ!ARIAQAlqX_qtYj95uzEftkMIKQggfo.RoJ3KnvvakO97Xrjptfq89vTtwGFgR1jnyeNSm1CwnLSSz0N3g8.bQrX.jCpJ6Np3&oauth_body_hash=2jmj7l5rSw0yVb/vlWAYkK/YBwk=&opensocial_owner_id=4621800&opensocial_viewer_id=5138614&opensocial_app_id=http://dev-profiles.ucsf.edu/ORNG/ChatterFollow.xml&opensocial_app_url=http://dev-profiles.ucsf.edu/ORNG/ChatterFollow.xml&oauth_consumer_key=&xoauth_signature_publickey=mytestkey&xoauth_public_key=mytestkey&oauth_version=1.0&oauth_timestamp=1349466703&oauth_nonce=7533897618501371565&oauth_consumer_key=&oauth_signature_method=RSA-SHA1&oauth_signature=d0UIIXK+HwbkLD4VE59ylZ9XoBreMBqc0Kcf4v2DjzWT0AE1JtCUhDmS1Uy1P9K54tpeoQwjcu8mnWsA7PQpTRTYyU1k+ueT4M2ihoaB+CunpZz6Q3KE8MUZn4Sy0D7iNuje6WdgHZ80f9Ln8OwRPzrfHA5v0KowATRv7T2h+x0="
);
IOAuthContext context = new OAuthContextBuilder().FromUri("GET", uri);
// use context.ConsumerKey to fetch information required for signature validation for this consumer.
if (!signer.ValidateSignature(context, signingContext))
{
throw new Exception("Invalid signature : " + uri);
}
}
public void RequestFilter(IHttpRequest request, IHttpResponse response, object requestDto)
{
string Username = "";
if (requestDto is UserRequest) {
Username = ((UserRequest)requestDto).Username;
} else if (requestDto is GetNotesRequest) {
Username = ((GetNotesRequest)requestDto).Username;
} else if (requestDto is PutNotesRequest) {
Username = ((PutNotesRequest)requestDto).Username;
} else {
response.ReturnAuthRequired ();
return;
}
var web_request = ((HttpListenerRequest)request.OriginalRequest).ToWebRequest ();
IOAuthContext context = new OAuthContextBuilder ().FromWebRequest (web_request, new MemoryStream ());
try {
Logger.Debug ("trying to acquire authorization");
RainyStandaloneServer.OAuth.Provider.AccessProtectedResourceRequest (context);
} catch {
Logger.DebugFormat ("failed to obtain authorization, oauth context is: {0}", context.Dump ());
response.ReturnAuthRequired ();
}
// check if the access token matches the username
var access_token = Rainy.RainyStandaloneServer.OAuth.AccessTokens.GetToken (context.Token);
if (access_token.UserName != Username) {
// forbidden
Logger.Debug ("username does not match the one in the access token, denying");
response.ReturnAuthRequired ();
return;
}
Logger.DebugFormat ("authorization granted for user {0}", Username);
// possible race condition but locking is to expensive
// at this point, rather accept non-precise values
MainClass.ServedRequests++;
}
protected void Page_Load(object sender, EventArgs e)
{
try
{
IOAuthContext context = new OAuthContextBuilder().FromHttpRequest(Request);
IOAuthProvider provider = OAuthServicesLocator.Services.Provider;
IToken accessToken = provider.ExchangeRequestTokenForAccessToken(context);
Response.Write(accessToken);
}
catch (OAuthException ex)
{
// fairly naieve approach to status codes, generally you would want to examine either the inner exception or the
// problem report to determine an appropriate status code for your technology / architecture.
Response.StatusCode = 400;
Response.Write(ex.Report.ToString());
}
Response.End();
}
private bool IsOAuthValid( string secret )
{
try {
var context = new OAuthContextBuilder().FromHttpRequest( Request );
IOAuthContextSigner signer = new OAuthContextSigner();
SigningContext signingContext = new SigningContext {ConsumerSecret = secret};
return signer.ValidateSignature( context, signingContext );
} catch( OAuthException ) {
return false;
}
}
public object Get(OAuthRequestTokenRequest request)
{
// keep this line to inspect the Request in monodevelop's debugger
// really helps debugging API calls
var servicestack_http_request = Request;
HttpWebRequest original_request = ((HttpListenerRequest)Request.OriginalRequest).ToWebRequest ();
IOAuthContext context = new OAuthContextBuilder ().FromWebRequest (original_request, request.RequestStream);
IToken token = RainyStandaloneServer.OAuth.Provider.GrantRequestToken (context);
Logger.DebugFormat ("granting request token {0} to consumer", token);
Response.StatusCode = 200;
Response.Write (token.ToString ());
Response.End ();
return null;
}
public object Any(OAuthAuthorizeRequest request)
{
// keep this line to inspect the Request in monodevelop's debugger
// really helps debugging API calls
var servicestack_http_request = Request;
// TODO the OAuth spec allows other ways of specifying the parameters besides the query string
// (i.e. the authorization header, form-encoded POST values, etc. We have to handle those
// in the future.
var original_request = (HttpListenerRequest)Request.OriginalRequest;
var context = new OAuthContextBuilder ().FromUri (Request.HttpMethod, original_request.Url);
// check if the user is authorized
// TODO this is just a basic hack to enable authorization
if (!userIsAllowed (request.Username, request.Password)) {
// unauthorized
Logger.WarnFormat ("Failed to authorize user {0}", request.Username);
Response.StatusCode = 403;
Response.StatusDescription ="Authorization failed";
Response.Write (
"<html><h1 style='margin-top: 1em'>Authorization failed for user "
+ "<b>" + request.Username + "</b>"
+ " (maybe wrong password?).</h1></html>"
);
Response.Close ();
return null;
}
// authorization succeeded, continue
Logger.InfoFormat ("Successfully authorized user: {0}", request.Username);
var request_token = Rainy.RainyStandaloneServer.OAuth.RequestTokens.GetToken (context.Token);
request_token.Verifier = Guid.NewGuid ().ToString ();
request_token.AccessDenied = false;
request_token.AccessToken = new AccessToken () {
ConsumerKey = request_token.ConsumerKey,
Realm = request_token.Realm,
Token = Guid.NewGuid ().ToString (),
TokenSecret = Guid.NewGuid ().ToString (),
UserName = request.Username,
ExpiryDate = DateTime.Now.AddYears (99)
};
RainyStandaloneServer.OAuth.RequestTokens.SaveToken (request_token);
Logger.DebugFormat ("created an access token for user {0}: {1}", request.Username, request_token);
// redirect to the provded callback
var redirect_url = request_token.CallbackUrl + "?oauth_verifier=" + request_token.Verifier + "&oauth_token=" + request_token.Token;
Logger.DebugFormat ("redirecting user to consumer at: {1}", request.Username, redirect_url);
Response.Redirect (redirect_url);
return null;
}
public object Get(OAuthRequestTokenRequest request)
{
HttpWebRequest original_request = ((HttpListenerRequest)Request.OriginalRequest).ToWebRequest ();
// it is not fatal that we do not really check the oauth signature for the request token request
// all it takes to sign such a request is the consumer secret, which is "anyone" and hard-coded
// into the tomboy and rainy source code - and we are open source so everybody knows it anyways
IOAuthContext context;
context = new OAuthContextBuilder ().FromWebRequest (original_request, request.RequestStream);
IToken token = oauthHandler.Provider.GrantRequestToken (context);
Logger.DebugFormat ("granting request token {0} to consumer", token);
Response.StatusCode = 200;
Response.Write (token.ToString ());
Response.End ();
return null;
}
public void RequestFilter(IHttpRequest request, IHttpResponse response, object requestDto)
{
bool use_temp_access_token = request.Headers.AllKeys.Contains ("AccessToken");
bool check_oauth_signature = request.Headers.AllKeys.Contains ("Authorization");
string username = "";
if (requestDto is UserRequest) {
username = ((UserRequest)requestDto).Username;
} else if (requestDto is GetNotesRequest) {
username = ((GetNotesRequest)requestDto).Username;
} else if (requestDto is GetSingleNoteRequest) {
username = ((GetSingleNoteRequest)requestDto).Username;
} else if (requestDto is PutNotesRequest) {
username = ((PutNotesRequest)requestDto).Username;
} else if (!check_oauth_signature && !use_temp_access_token) {
throw new UnauthorizedException ();
}
Logger.Debug ("trying to acquire authorization");
IOAuthContext context = null;
AccessToken access_token;
try {
var oauthHandler = EndpointHost.Container.Resolve<OAuthHandler> ();
if (check_oauth_signature) {
var web_request = ((HttpListenerRequest)request.OriginalRequest).ToWebRequest ();
context = new OAuthContextBuilder ().FromWebRequest (web_request, new MemoryStream ());
// HACK ServiceStack does not inject into custom attributes
oauthHandler.Provider.AccessProtectedResourceRequest (context);
// check if the access token matches the username given in an url
access_token = oauthHandler.AccessTokens.GetToken (context.Token);
} else {
access_token = oauthHandler.AccessTokens.GetToken (request.Headers["AccessToken"]);
}
if (!string.IsNullOrEmpty (username) && access_token.UserName != username) {
// forbidden
Logger.Debug ("username does not match the one in the access token, denying");
throw new UnauthorizedException ();
} else {
// TODO remove checks - why is it run twice?
if (!request.Items.Keys.Contains ("AccessToken")) {
if (use_temp_access_token)
request.Items.Add ("AccessToken", request.Headers["AccessToken"]);
else
request.Items.Add ("AccessToken", context.Token);
}
if (!request.Items.Keys.Contains ("Username"))
request.Items.Add ("Username", access_token.UserName);
}
} catch (Exception e) {
if (context != null)
Logger.DebugFormat ("failed to obtain authorization, oauth context is: {0}", context.Dump ());
throw new UnauthorizedException ();
}
Logger.DebugFormat ("authorization granted for user {0}", username);
// possible race condition but locking is to expensive
// at this point, rather accept non-precise values
MainClass.ServedRequests++;
}
private bool IsOAuthSignatureValid()
{
string oauthKey = System.Configuration.ConfigurationManager.AppSettings["OauthKey"];
// Normally would use key to lookup appropriate secret for the specifc LMS
string oauthSecret = System.Configuration.ConfigurationManager.AppSettings["OauthSecret"];
var context = new OAuthContextBuilder().FromHttpRequest( Request );
IOAuthContextSigner signer = new OAuthContextSigner();
SigningContext signingContext = new SigningContext {ConsumerSecret = oauthSecret};
return signer.ValidateSignature( context, signingContext );
}
private void ValidateSignature()
{
if (!signedFetch)
{
return;
}
IncomingWebRequestContext request = WebOperationContext.Current.IncomingRequest;
IOAuthContext context = new OAuthContextBuilder().FromUri(request.Method, request.UriTemplateMatch.RequestUri);
// use context.ConsumerKey to fetch information required for signature validation for this consumer.
if (!signer.ValidateSignature(context, signingContext))
{
throw new Exception("Invalid signature : " + request.UriTemplateMatch.RequestUri);
}
}
public object Any(OAuthRequestTokenRequest request)
{
// keep this line to inspect the Request in monodevelop's debugger
// really helps debugging API calls
var servicestack_http_request = Request;
HttpWebRequest original_request = ((HttpListenerRequest)Request.OriginalRequest).ToWebRequest ();
try {
IOAuthContext context = new OAuthContextBuilder ().FromWebRequest (original_request, request.RequestStream);
IToken token = RainyStandaloneServer.OAuth.Provider.GrantRequestToken (context);
Logger.DebugFormat ("granting request token {0} to consumer", token);
Response.StatusCode = 200;
Response.Write (token.ToString ());
} catch (Exception e) {
Logger.ErrorFormat ("Caught exception: {0}", e.Message);
Response.StatusCode = 500;
Response.StatusDescription = e.Message;
} finally {
Response.Close ();
}
return null;
}
